Searches for Free Printable Items Lead to Malicious Domains

Trend Micro threat analysts from EMEA have found a blackhat search engine optimization (SEO) attack that uses strings with the phrase “free printable” to hijack search traffic by directing it to a rogue search engine.

Our researchers found that search engine queries using the string “free printable” yield results that include compromised websites (see Figure 1). The said compromised sites are rigged with malicious JavaScript malware detected as JS_REDIRECT.SMF and JS_REDIRCT.MAC. JS_REDIRECT.SMF and JS_REDIRCT.MAC trigger a set of redirections whenever users visit compromised sites. The redirections ultimately lead to a rogue search engine, which by default puts the original search string into its own search text box.

As of now, the cybercriminals’ goal in all these seems to be hijacking search traffic from search engines and redirecting them to their own ones to earn money. If it stays as such is not yet known but users need to be wary since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site.

A diagram illustrating how hijacking searches work is shown below.

It is very possible that this blackhat SEO attack takes advantage of the fact that the interest in free printable items is relatively high, especially in South Africa and in the United States.

We are strongly advising users not to use search strings that include the words “free printable,” as the results may lead to malicious websites.

We are currently monitoring this attack and will update this entry for developments.

Update as of January 27, 2010, 5:30 p.m. (GMT +8:00):

Below are screenshots of a page (and its source code) found inside a hijacked website that comes up when using the search string “free printable (some item).”

The compromised sites were made to host these pages ridden with keywords in an attempt to lead users to eventually execute the malicious JavaScript malware.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

Security Predictions for 2020

Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.Read our security predictions for 2020.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.